EVALUATION OF THE DESIGN AND IMPLEMENTATION OF PAY-VA

EVALUATION OF THE DESIGN ANDIMPLEMENTATION OF PAY-VA

Report No.: 7D2-G07-019Date: February 14, 1997

Office of Inspector General Washington DC 20420

The PAY-VA system developmenteffort holds significant potential to

streamline VA’s human resource andpayroll functions

Memorandum to:

Assistant Secretary for Management (004)Assistant Secretary for Human Resources and Administration (006)

Evaluation of the Design and Implementation of PAY-VA

1. The purpose of the evaluation was to provide an early assessment of the Departmentof Veterans Affairs (VA) design, development, and implementation process for the newPAY-VA system. The Department is in the initial stages of the PAY-VA systemdevelopment initiative, which includes identifying customization requirements. Weevaluated the adequacy of the development of operating procedures and controls for thesystem. The project focused on (i) assessing the high risk components of the systemdevelopment project encompassing the system life cycle, costs, project management, anduser participation, (ii) assessing key business decisions and assumptions, and (iii)evaluating the coordination and control over the project and over the system’s dataintegrity including the adequacy of controls to prevent unauthorized use or release ofprivacy data.

2. The PAY-VA system development effort is a joint project of the Office of FinancialManagement and the Office of Human Resources Management. PAY-VA’s primaryobjectives are to (i) replace VA’s current antiquated payroll system which processes over$11 billion annually and supports approximately 260,000 employees, and (ii) define andassess options for new system technology. The PAY-VA team has focused ondocumenting current human resources and payroll practices, procedures, and processes,defining a new human resources and payroll model, and identifying administrativemechanisms and implementation strategies in order to reengineer more efficientprocedures and business practices for the Department. This represents a significantDepartment information technology initiative with substantial system life-cycle costsestimated at approximately $115 million. System operating benefits are estimated by theDepartment at about $205 million over time which are primarily attributable to staffingreductions that will be achieved by consolidating support services, eliminating redundantservice delivery functions, and fully leveraging technology.

ii

3. Department managers expect the PAY-VA initiative to result in an integrated systemwith a full range of capabilities and features required to support VA’s functionalrequirements for human resource administration, payroll, benefits administration, andmanagement reporting. The PAY-VA system is being implemented through theacquisition of a Human Resource (HR)/Payroll “Commercially-Off-The-Shelf” (COTS)product. In addition, software development support services are being acquired for thecustomization, deployment, and maintenance of the COTS product. Hardware andsoftware will also be acquired to support the customization and deployment of the newsystem. The planned system has a contract life equal to 10 years. The initial 5 yearsprovides for obtaining the necessary software development support services and includesa 4-year phased approach for deployment. The remaining 5 years provides for futureproduct maintenance releases and upgrades and software development support. TheDepartment has taken delivery on the initial HR and benefits modules and anticipatesdelivery of two additional software modules to provide payroll and time and labor systemfunctionality by July 1997.

4. The PAY-VA system development effort holds significant potential to streamlineVA’s human resource and payroll functions. Our evaluation found that the PAY-VAproject managers have established management control over the multi-faceted details thissystem development effort entails, and user involvement was significant. We identifiedopportunities to enhance PAY-VA implementation efforts concerning projectdocumentation and workplans, cost information, contract deliverables, system security,correction of identified material weaknesses, training, and Contracting Officer’sTechnical Representative (COTR) duties.

5. We found that project documentation and workplans need more regular revisions toidentify and better coordinate the interdependencies associated with significant projectchanges. Strengthening project documentation and workplans can provide Departmentofficials with better information on the overall status of project accomplishments, futuremilestones, contract deliverables, and changes to the overall project and costs.

6. While the majority of project related costs are adequately tracked, projectexpenditure information also needs to be identified and accumulated for costs incurredthrough the Delegation of Procurement Authority and for the Department’s in-housesystem development efforts. Effective accumulation of this cost information will helpassure that VA’s system development costs are identified and future franchisinginitiatives accurately address the costs of services to be sold. In response to our findings,the project team took action during the course of our evaluation to begin tracking andaccounting for these expenditures to ensure that all project costs are captured.

7. Our evaluation also found that the workscope in VA’s contract with its COTS vendorneeds to clearly define what type of products can be acquired under the contract. This

iii

contract provides for the purchase of approximately $1 million in products from theCOTS vendor without describing product specifications or prices. More specificdefinitions of the contract deliverables are needed to provide the opportunity forenhanced oversight of contractor performance and future determinations of pricereasonableness.

8. We found that a PAY-VA system security plan and associated project workplansneed to be completed. Additionally, there is a need to strengthen coordination on thePAY-VA security team and to ensure the timely development of an adequate securityplan. This will ensure the Department is in the best position to address the risksassociated with this decentralized system and to implement controls to mitigate theassociated risks. New features associated with the PAY-VA system such as, paperlessprocessing, readily accessible information, and interconnected systems increase thevulnerability of operations and data to unauthorized modification and disclosure and topotentially devastating interruptions in service.

9. The PAY-VA initiative is expected to address the systemic weaknesses that are in theDepartment’s current Personnel and Accounting Integrated Data (PAID) system.However, our review could not clearly establish how project implementation efforts willensure that the Federal Managers Financial Integrity Act reported instances of materialnon-conformance and reported deficiencies in VA’s 1991 Crossroads Study associatedwith the PAID system had or will be addressed. These issues need to be corrected inorder to ensure that VA’s system is in compliance with the core Federal systemrequirements. As a result of the project’s phased deployment schedule, the PAY-VAproject team should document the basis of specific corrective actions taken. This willhelp ensure that the systemic deficiencies in the PAID system are fully addressed so thatexisting material weaknesses and internal control vulnerabilities will not be carriedforward to the new PAY-VA system.

10. Our evaluation found that formal training is needed for staff tasked with systemtesting, certification, and acceptance responsibilities to ensure a better understanding ofhow to audit state-of-the art client server system technology. The PAY-VA COTR alsoneeds formal training to effectively fulfill the ongoing duties and responsibilities of thisposition.

11. The report includes recommendations to address the issues which are discussedabove. These recommendations can enhance the Department’s PAY-VA implementationproject as it moves beyond the current implementation efforts and addresses other keyproject phases and activities such as system customization, testing, prototyping, anddeployment. The Assistant Secretary for Management and the Assistant Secretary for

iv

Human Resources and Administration noted that our early review will be helpful inensuring the success of the initiative, agreed with the report recommendations directed totheir offices, and provided acceptable implementation actions. We consider the reportissues resolved and will follow up on planned actions until they are completed.

For the Assistant Inspector General for Auditing

[Signed]Mr. Stephen L. Gaskell

Director, Central Office Operations Division

TABLE OF CONTENTS

Page

Memorandum to:

Assistant Secretary for Management (004)Assistant Secretary for Human Resources and Administration (006) ................ i

RESULTS AND RECOMMENDATIONS

1. Project Documentation and Workplans Should beEnhanced to Help Assure Adequate Trackingof Key Implementation Efforts ............................................................................. 1

Conclusion ........................................................................................................... 2

Recommendation 1................................................................................................ 2

2. Complete Project Cost Information Needs to be Maintained................................. .4

Conclusion ........................................................................................................... 5

Recommendation 2................................................................................................ 5

3. Contract Deliverables Need to be SufficientlyDefined ................................................................................................................. 6

Conclusion ............................................................................................................ 6

Recommendation 3................................................................................................ 6

4. A Project Security Plan is Needed to Address Security Controls for the PAY-VA System................................................................................................... 8

Conclusion ............................................................................................................ 8

Recommendation 4................................................................................................ 8

TABLE OF CONTENTS (Continued)

5. FMFIA Reported Instances of Non-Conformance and PreviouslyReported Issues in VA’s 1991 Crossroads Study Needto be Addressed................................................................................................... 10

Conclusion .......................................................................................................... 10

Recommendation 5.............................................................................................. 11

6. Formal Training is Needed for Staff TaskedWith Completing System Software Testing, Acceptance, andCertification Requirements for the PAY-VA Project ........................................... 12

Conclusion .......................................................................................................... 12

Recommendation 6.............................................................................................. 12

7. The Contracting Officer’s Technical Representative NeedsFormal Training on COTR Duties ....................................................................... 14

Conclusion .......................................................................................................... 14

Recommendation 7.............................................................................................. 14

APPENDICES

I OBJECTIVES, SCOPE, AND METHODOLOGY .............................................. 16

II BACKGROUND................................................................................................. 18

III IMPLEMENTATION OF A SHARED SERVICE CENTER............................... 22

IV COTS SOFTWARE COMPONENTS PURCHASEDBY THE DEPARTMENT ................................................................................... 23

V KEY PAY-VA SYSTEM SECURITY CONSIDERATIONS............................... 27

VI ASSISTANT SECRETARY FOR MANAGEMENT AND ASSISTANTSECRETARY FOR HUMAN RESOURCES AND ADMINISTRATION

JOINT COMMENTS...............................................................................................30

VII FINAL REPORT DISTRIBUTION ..................................................................... 35

1

RESULTS AND RECOMMENDATIONS

1. Project Documentation and Workplans Should be Enhanced to Help AssureAdequate Tracking of Key Implementation Efforts

Our review found that project documentation and workplans need more regular revisionsto identify and better coordinate project activities associated with significant projectchanges. We found that project managers were tracking project activities from start tofinish based on the percentage of completion, however workplans needed to identify andshow how significant project changes were affecting the overall project status, costs, andschedule. We found that some project changes needed to be addressed in more detailwithin the workplans, such as a plan for building a temporary interface1 between thePersonnel and Accounting Integrated Data (PAID) and PAY-VA systems. The projecthas also increased significantly in size and cost due to the Department’s initiative toestablish a Shared Service Center (SSC) and to add functionality such as expert systemsto augment the core HR/Payroll software including additional software for interactivevoice response, position classification, and resume processing capability. As a result,project documentation and workplans need to be enhanced to provide better informationaddressing project phases and accomplishments, major milestones, and schedule changes.(A summary of the Department’s efforts to establish a SSC is included in Appendix III onpage 22.)

Because project changes, such as building a temporary interface, present a newchallenge2, costs, and additional risks to the project, workplans need to reflect currentinformation regarding changes to the project. During the course of the audit, PAY-VAofficials began initiating actions to update their project workplans, but the revised planswere not complete at the time we concluded our evaluation. Given the significance of theproject’s costs, complexities, risks, and the long term nature of the PAY-VA systemdesign and implementation phases, project documentation and workplans need to providekey information addressing project phases, major milestones, and accomplishments.Summary level documentation addressing the project in terms of key activities or phasesis needed. This information can help identify and support major modifications, additionsand deletions affecting the project’s scope, budget, cost, and schedule.

1 The interface between PAY-VA and PAID environments is temporary and will be used during the interim period that PAY-VA HR and benefitsmodules are in production without the payroll software module. This interface is needed as a result of using the phased implementation approach andwill be phased out of the production environment as the PAY-VA payroll and time and labor modules are implemented.2 Some of the significant challenges which the PAY-VA project team will face will be to ensure that the information in both the PAY-VA and PAIDsystem remains synchronized while using the temporary interface and to support and maintain an extra system interface.

2

Conclusion

Project Documentation and Workplans Should be Enhanced

The review found that the project’s workplans were tracking project activities, however,the workplans need more regular revisions to identify and better coordinate theinterdependencies associated with significant project changes that have occurred. Wefound that some of these changes were not fully addressed in the workplans such as theimplementation of the SSC and the need to establish a system interface between the PAY-VA and PAID systems. Strengthening project documentation and workplans can provideDepartment officials with better information on the overall status of projectaccomplishments, future milestones, contract deliverables, and changes to the overallproject and costs.

Recommendation 1

We recommend that the Assistant Secretary for Management and the Assistant Secretaryfor Human Resources and Administration coordinate completion of required actions toensure that project documentation and workplans are sufficient to identify and supportmajor changes affecting the project’s scope, budget, cost, and schedule.

Assistant Secretary for Management and Assistant Secretary for Human Resourcesand Administration Comments

We concur. At the time of your review, the decision on the establishment of the singleShared Service Center (SSC) had not been approved. In the absence of this decision, thePAY-VA team was primarily focusing on the replacement PeopleSoft systemimplementation. When the Secretary approved the establishment of the SSC in late July,the PAY-VA team moved to quickly develop an integrated plan for VA’s new HR/payrolldelivery system, which included the SSC, the replacement system, and other technologyapplications. As a result, they have developed a master plan which identifies fourprototype phases for the new delivery system and the associated high level target datesfor testing the functionality and applications of each phase.

Implementation Plan

Detailed work plans have been developed for Phase 1 and actions are underway todevelop the detailed work plan for Phase 2. Detailed plans will be developed for eachphase.

(See Appendix VI on page 30 for the full text of the joint comments provided by theAssistant Secretaries.)

3

Office of Inspector General Comments

The comments and implementation actions presented by the Assistant Secretaries areacceptable and responsive to the recommendation. We consider the issue resolved andwill follow up on planned actions until they are completed.

4

2. Complete Project Cost Information Needs to be Maintained

We found that while the PAY-VA project members are tracking the majority of projectrelated costs, they also need to identify and accumulate cost information for projectexpenditures made against the Delegation of Procurement Authority (DPA) approval leveland for the Department’s in-house system development efforts. The project teamprovided budget schedules which identified estimated project expenditures through theyear 2001. However, we were unable to identify a project accounting report whichaccumulated and reported all of the project expenditures including the direct efforts of thePAY-VA field team members supporting the overall project needs from field facilities.Because the PAY-VA project team has implemented multi-disciplinary teams withspecific tasks and responsibilities and relied heavily on using the technical expertiseavailable within the Department to support this major initiative, the costs associated withthe in-house system development efforts are considered significant and should beidentified.

It is important that all project costs be adequately tracked to identify cumulativeexpenditures made against the DPA. VA developed and submitted a request to GSA tosupport the purchase of Commercially-Off-The Shelf (COTS)3 software, contractualsupport, hardware, and workstations. (A summary of the COTS software componentspurchased by the Department is in Appendix IV on page 23.) GSA approved a DPA of$37 million to acquire resources for Department-wide implementation, deployment, andmaintenance of the PAY-VA system.

Our review of expenditure records did not find that the DPA expenditures were readilyidentifiable for reporting purposes. Given the significant expenditures involved and thelong term nature of this system development project, accountability over projectexpenditures can be better assured by providing a means to identify costs associated withthe DPA and tracking the expenditures against the DPA’s approval levels. In response toour findings, PAY-VA project officials took action during the course of the evaluation toidentify and track expenditures associated with the DPA.

The review also found that VA in-house system development costs for the project werenot accounted for to the extent possible. We did find that project direct support costs hasbeen accounted for within the Offices of Financial Management and Human Resourcesincluding other direct contracts, travel, and supplies expenditures associated with variousPAY-VA teams. However, we found that costs associated with the support effort ofVA’s in-house personnel working on PAY-VA project teams has not been accounted forand over the course of this project the costs associated with this effort could besignificant. This type of information is needed to determine the Department’s total

3 An off-the-shelf software package is a program for performing some specific function or calculation, which is useful to more than one computeruser, and which is sufficiently documented to be used without modification on a defined computer configuration. Such a package may be used onmany hardware platforms, or it may be used on a single type of hardware. Off-the-shelf applications perform specific tasks such as compiling highlevel languages, network management support, word processing, financial spreadsheets, and database management.

5

system development costs. The Department’s ability to identify the full cost of providingHR/Payroll services will also be needed to ensure that future franchising initiativesaccurately address the cost of services the Department plans to sell.

Conclusion

Enhanced Tracking of PAY-VA Project Costs is Needed

The PAY-VA project team has a mechanism in place to monitor the majority of projectrelated costs, however, cost information needs to be identified and accumulated forproject expenditures approved by the DPA and for the Department’s in-house systemdevelopment efforts. In response to our findings, action was taken during the course ofthe evaluation to begin tracking and accounting for these expenditures to ensure allproject costs are captured.

Recommendation 2

We recommend that the Assistant Secretary for Management take action to ensure thatPAY-VA project costs are identified and accounted for involving expenditures under theDepartment’s Delegation of Procurement Authority (DPA) and for in-house systemdevelopment costs.

Assistant Secretary for Management Comments

Concur. The PAY-VA team worked with the Office of Information ResourcesManagement to develop a spreadsheet for tracking DPA costs. That action wascompleted during the course of the OIG review.

Implementation Plan

The PAY-VA team is currently developing a mechanism to track the time and associatedpayroll costs for the part time and intermittent field personnel involved on the project.That mechanism will be implemented to begin collecting data starting in February 1997.

(See Appendix VI on page 31 for the full text of the Assistant Secretary’s comments.)


The Assistant Secretary’s comments and implementation actions are acceptable andresponsive to the recommendation. We consider the issue resolved and will follow up onplanned actions until they are completed.

6

3. Contract Deliverables Need to be Sufficiently Defined

Our evaluation found that the workscope in VA’s contract to its COTS vendor needs tomore clearly define the products that can be acquired under the contract. The contractprovides for the purchase of approximately $1 million in products from the COTS vendorwithout describing product specifications or prices. More specific definitions of thesecontract deliverables are needed to provide the opportunity for enhanced oversight ofcontractor performance and determinations of price reasonableness. Orders had not beenplaced under this contract at the time of our review because the contract had just beenawarded. Efforts to ensure the adequacy of price reasonableness determinations can befurther enhanced by defining the products provided on this contract as to the specific typeof work provided and the level of expertise needed to ensure an acceptable level ofperformance. There are also opportunities to better ensure the value and prices theDepartment will pay for the products within this contract by using cost and price analysistechniques to selectively evaluate future delivery task orders.

Conclusion

Contract Deliverables in the Cots Vendor Contract Need to be Defined

We found that contract deliverables need to be better defined in a contract award to theCOTS software vendor. This will provide the opportunity to enhance assessments ofprice reasonableness relating to the purchase of these additional products.

Recommendation 3

We recommend that the Assistant Secretary for Management take action to assure that thecontract deliverables associated with the Department’s COTS vendor contract aresufficiently defined and consider using cost and price analysis techniques to selectivelyevaluate future delivery orders.


Concur. The contract is structured as a task-order based, indefinite quantity contract.The labor categories are priced in a not-to-exceed amount and represent the categories ofpersonnel which the VA requires for these professional support services. Although theContract Officer’s negotiation position at contract award was limited because only oneresponsible source could maintain the existing system, the rates were negotiated. Further,although many of the same services were available under the original General ServicesAdministration (GSA) negotiated contract, VA was paying added fees to GSA and did notenjoy a direct contractual relationship with the vendor. With this contract, VA totallycontrols the process through implementation of negotiated task orders. Further, theStatement of Work, Section C, clearly defines the services and products available underthis contract.

7

Implementation Plan

As task orders are developed under this contract, the Contracting Officer will thoroughlyassess the scope of work and the types of contractual staff being requested to perform thatwork. This will allow the Contracting Officer to assess the contractor’s price andnegotiate accordingly prior to issuance of each task order. Historical models can also beapplied in evaluating price reasonableness. We believe that these aspects of the contractand the process for issuing task orders will ensure that the task order scope is welldefined and VA’s costs are reasonable and appropriate.




8

4. A Project Security Plan is Needed to Address Security Controls for the PAY-VASystem

Our review found that a PAY-VA system security plan and associated project workplansneed to be completed. We found that the security team assigned was in the initial stagesof planning and addressing the need for system security controls. However, from ourobservations, the security team lacks sufficient team coordination to effectively addressthe system security needs within the project’s planned schedule. In addition, theDepartment’s security team leader was unable to locate a copy of the PAID and PAIDRedesign security plans which should be reviewed and considered in the development ofsecurity controls for the PAY-VA system. We also found that the security team is usingteleconference meetings to disseminate weekly information to other PAY-VA teammembers, but there are no minutes of these meetings and the individuals who participatedin the conference calls were not always the same team members listed as PAY-VAsecurity team members. As a result, we see a need to improve overall coordination onthis team.

As the security team moves toward identification and development of system securitycontrols, a number of key areas need to be addressed. In general, security plans shouldincorporate a definition of basic security needs which identifies sensitive information andapplications, systems concepts, and basic security objectives. The plan should estimatesecurity related costs, benefits, and identify security alternatives. It should also containthe establishment of quality assurance mechanisms for ensuring security with anappropriate mix of security controls, including contingency plans. (A summary of keyPAY-VA system security considerations is included in Appendix V on page 27.)

Conclusion

A Project Security Plan Needs to be Developed

Our review found that project managers had not completed a security plan and updatedassociated project workplans. There is a need to strengthen coordination on the PAY-VAsecurity team and to ensure the timely development of an adequate security plan. Thiswill help ensure the Department is in the best position to address the risks associated witha decentralized system and to implement controls to mitigate the associated risks.

Recommendation 4

We recommend that the Assistant Secretary for Management and the Assistant Secretaryfor Human Resources and Administration coordinate completion of a project securityplan to address security controls needed for the PAY-VA system.

9

Assistant Secretary for Management and Assistant Secretary for Human Resourcesand Administration Comments

We concur. At the time of the OIG review, the project implementation plans were at thepreliminary stages and had not sufficiently reached the point requiring the developmentof the new delivery system’s security requirements. A security plan has been developedfor Phase 1 of the project implementation plan. This plan will be updated toaccommodate security requirements as part of the planning for each of the remainingphases.

Implementation Plan

The PAY-VA project will implement an entirely new HR/payroll delivery system whichwill offer new security challenges with the advent of the SSC and employee/managerialself servicing. Because of this radically new environment, the PAY-VA team contractedwith an independent contractor to perform a risk and internal control assessment. Thepurpose of the assessment was to get an early assessment of the PAY-VA project’s plansfor security and internal controls in compliance with Federal requirements such as A-130,A-123, and A-127. The assessment was completed in December and the final report willbe distributed in January 1997. This early assessment will ensure that all security aspectsare identified as we move to implement the new delivery system.

(See Appendix VI on page 31 for the full text of the joint comments provided by theAssistant Secretaries.)


The comments and implementation actions presented by the Assistant Secretaries areacceptable and responsive to the recommendation. We consider the issue resolved andwill follow up on planned actions until they are completed.

10

5. FMFIA Reported Instances of Non-conformance and Previously Reported Issuesin VA’s 1991 “Crossroads Study” Need to be Addressed

A November 1994 decision paper supporting the replacement of VA’s current PAIDsystem stated that it was reported to the Office of Management and Budget (OMB) ashaving instances of material non-conformance and not meeting the requirements of theJoint Financial Management Improvement Program with respect to ease of adaptability,completeness of documentation, and other requirements of modern financial systems.The paper emphasized that these deficiencies must be corrected in order to ensure thatVA’s payroll system is in compliance with the core Federal financial systemrequirements.

Our review found that the project implementation plans need to be expanded to includehow the PAY-VA project will address the Federal Managers Financial Integrity Act(FMFIA) reported instances of material non-conformance associated with the PAIDsystem. In addition, the implementation plans need to show how issues reported in VA’s1991 Crossroads Study have or will be addressed. The PAY-VA initiative is expected toaddress many of the systemic weaknesses found in the Department’s current PAIDsystem. The Crossroads Study also identified other problems such as erroneous data inretirement records and noted a review must be accomplished even if the new system isadopted. There is a need to ensure that all of the pre-existing management deficiencieswill be effectively addressed in the new PAY-VA system.

In addition, our review found that certain HR and payroll system functionality needed bythe Department is being deferred, and is expected to be included in later software releasesfrom the COTS contractor. As a result, the Department’s ability to ensure that all of theFederal rules and regulations are met is conditional upon the contractor meeting itscontractual requirements and providing a complete Federalized product. The Departmentneeds to ensure that the final delivered product incorporates all core Federal systemrequirements that provides reasonable documentable assurance that information processedin the new system will be accurate, timely, complete, authorized, and that the systemitself is secure and auditable.

Conclusion

There is a Need to Ensure That Previously Reported PAID System Issues Are NotCarried Forward to the PAY-VA System

The PAY-VA initiative is expected to correct many of the systemic weaknesses whichwere found in the Department’s PAID system. However, the project implementationplans need to show how the FMFIA reported instances of material non-conformance andother reported deficiencies have or will be addressed so that existing material weaknessesand internal control vulnerabilities will not be carried forward to the new system.

11

Recommendation 5

We recommend that the Assistant Secretary for Management take action to ensure thatpreviously identified material weaknesses and internal control vulnerabilities in the PAIDsystem are addressed by the PAY-VA system.


Concur.

Implementation Plan

We will review prior management reviews and reports on the legacy system (PAID) anddocument how the PAY-VA solution will resolve these identified weaknesses. We planto complete that assessment by March 30, 1997.




12

6. Formal Training is Needed for Staff Tasked With Completing System SoftwareTesting, Acceptance, and Certification Requirements for the PAY-VA Project

Managers of the Systems Integrity Staff (SIS) located at the Austin Automation Center(AAC) acknowledged during the review that their staff lacked experience in auditingclient/server systems, which is the new software technology the PAY-VA project isacquiring. Given the significant testing, acceptance, and certification requirementsassociated with this project, formal training should be provided to the SIS staff taskedwith this assignment to help ensure the adequacy of system security controls.

The SIS is responsible for ensuring that proper internal controls, including independentvalidation and verification, are an integral part of all automated financial and relatedsystems under the purview of the Office of Financial Management.

Conclusion

Training is Needed for Staff Tasked With System Testing, Acceptance, andCertification Requirements

The SIS staff located at the AAC, tasked with completing system testing, acceptance andcertification requirements for the PAY-VA project need training to help ensure thatsystem test plans are adequately developed and implemented.

Recommendation 6

We recommend that the Assistant Secretary for Management take action to ensure thatappropriate training in auditing client server solutions is provided to the SIS staff who aretasked with testing, acceptance, and certification of PAY-VA software.


Concur. At the time of this review, the PAY-VA team was just beginning work to definean appropriate testing strategy and approach for the new delivery system. At that time,the SIS staff expressed their concerns since the project was relying heavily oncommercial software and a new client server environment as compared to VA’s and theSIS staff’s current mainframe system focus.

Implementation Plan

Since that time, a testing strategy for the entire new delivery system has been developedwhich addresses the various testing cycles and roles and responsibilities for those whowill participate in the testing. The SIS staff helped develop the approach and arecomfortable with it and their defined roles and responsibilities. Further, a member of theSIS participating in the PAY-VA testing has also attended a class on auditing client server

13

applications. With these actions, we believe that the SIS staff are prepared and haveappropriate experience, knowledge, and comfort to participate in the testing and ensurethe new system meets system and customer requirements.




14

7. The Contracting Officer’s Technical Representative Needs Formal Training onCOTR Duties

The Contracting Officer’s Technical Representative (COTR) for this project needs COTRtraining. Project officials explained that the COTR took over the responsibilities due toproject turnover without the benefit of formal training. We found that the COTR actedoutside of the procurement authority and did not follow appropriate procedures whenacquiring PAY-VA computer equipment in June and July 1996 on the open market. Thepurchase of 21 Pentium-133 computer systems and accessories costing $36,051 was splitinto three orders to stay within the COTR’s commercial credit card single purchasethreshold and within his basic contracting authority. The COTR’s single purchasethreshold is $25,000 or less, per purchase not to exceed $75,000 per month and hiscontract authority permits him to make expenditures up to and including $25,000 or themaximum order limitation for orders placed against established contracts. To helpenhance the performance of his duties, the COTR should receive appropriate trainingwhich PAY-VA project officials agreed would be scheduled in the near future.

Conclusion

The COTR Needs Training Relative to the Role and Responsibilities of This Position

A COTR has technical and administrative responsibilities which support the contractingofficer. These responsibilities are significant for the PAY-VA project because of themultiple procurement mechanisms used and the numerous contractors supporting theproject. The COTR needs formal training in order to effectively fulfill the ongoing dutiesand responsibilities of this position and ensure that future purchase orders are not split.

Recommendation 7

We recommend that the Assistant Secretary for Management take the following actions toenhance the function of the Contracting Officer’s Technical Representative by:

a. Providing formal training related to the role and responsibilities of this position.

b. Taking necessary actions to ensure future purchase orders are not split.


Though our review of the COTR’s actions do not confirm a purposeful splitting of orders,we do concur that he should receive appropriate training to ensure that he isknowledgeable of the federal procurement rules and requirements of his position.

15

Implementation Plan

Training is scheduled for the week of February 24, 1997.




APPENDIX I

16

OBJECTIVES, SCOPE, AND METHODOLOGY

Objectives

The purpose of the evaluation was to review the Department of Veterans Affairs (VA)design and development process for the new PAY-VA system. The project focused on (i)assessing the high risk components of the development project encompassing the systemlife cycle, costs, project management, and user participation, (ii) assessing key businessdecisions and assumptions used for the PAY-VA system design and development, and(iii) evaluating the coordination and control over the project and over the system’s dataintegrity including the adequacy of controls to prevent unauthorized use or release ofprivacy data. The evaluation included an assessment of the adequacy of operatingprocedures and controls being developed for the system. Since the Department is in theinitial stages of the PAY-VA system development initiative, our evaluation focused onproviding an early assessment of the implementation efforts.

Scope and Methodology

Project work included an evaluation of the Department’s system developmentmethodology, efforts, controls, timeliness, and cost for the implementation of the PAY-VA system. Work was performed in VA Central Office (VACO) involving VA’s Officeof the Assistant Secretary for Management and the Office of the Assistant Secretary forHuman Resources and Administration. Interviews were conducted with various PAY-VAproject team members in addition to appropriate VACO officials in the Veterans HealthAdministration (VHA), Veterans Benefits Administration (VBA), Office of NationalCemetery Service, Office of Information Resources Management, and the Office ofAcquisition and Materiel Management. Independent contractors and system userssupporting this initiative were also interviewed. Project documentation including keydecision papers was obtained and reviewed as deemed necessary. Field visits were made to the Austin Automation Center (AAC) and the Austin FinanceCenter (AFC) to meet with PAY-VA project team members and the current Personnel andAccounting Integrated Data (PAID) system support staff. Assessments were conductedby interviewing appropriate project officials to obtain necessary documentation and toobserve the current project team activities.

APPENDIX I

17

We also reviewed the results of various studies addressing PAY-VA issues anddocumentation relating to VA contract award to its COTS vendor and held discussionswith appropriate acquisition support staff. The evaluation considered FederalInformation Processing Standards (FIPS), VA ADP Policy, Federal government ADPguidance, Federal procurement standards, and public laws defining requirements forsecurity protection of information maintained in government ADP systems.

The evaluation was conducted in accordance with the Standards for Evaluation Practicepublished by the Evaluation Research Society.

APPENDIX II

18

BACKGROUND

VA’s Current System

The Department’s personnel and payroll requirements have been supported by VA’sPAID system since the early 1960s. PAID is a Department-wide integrated dataprocessing system encompassing human resources, payroll, other fiscal operations, fiscalreporting, and human resources statistical reporting. The system supports approximately260,000 employees and provides the requisite processing and reporting to meet legislativeand administrative requirements. It processes an estimated $11 billion in annual salarypayments. PAID also provides mandatory reporting and audit controls required bygovernment agencies having input into VA’s budgetary and appropriation cycle. Everyorganizational element in VACO and VA field facilities uses the system. Humanresources and payroll office input and processing are provided at more than 250 sitesacross the United States, Puerto Rico, and the Philippines.

Previous Efforts to Replace the PAID System

In 1991, VA completed a 10-year effort called PAID Redesign which was originallyexpected to replace PAID with a modern system. That effort resulted in several systemenhancements to PAID, however, VA officials determined that PAID still could not meetthe Department’s present or future needs. VA officials issued a 1991 report, entitledCrossroads Study PAY-VA Project which found that there were numerous errors inemployee pay, retirement records, and reports to Internal Revenue Service and the Officeof Personnel Management. It noted that the system was virtually unmaintainable, VAwas at risk of experiencing a catastrophic system failure, and the payroll system lackedappropriate internal controls and audit trails. The report concluded that VA was incurringexcessive system maintenance expenses of approximately $3 million a year. TheCrossroads Study recommended that VA stop the PAID Redesign project.

New PAY-VA Team Established

In 1992, an interdisciplinary team, called PAY-VA was tasked to determine and analyzealternatives to PAID. PAY-VA is a joint project of the Office of Financial Managementand the Office of Human Resources Management and is a component of the Department’slong-term strategy for improving resource management systems and services.

APPENDIX II

19

The team identified the following four major options for replacing PAID:

• Custom Development.• Outsourcing to either a private vendor or another government agency.• Importing and running in-house Federal software.• Purchasing and adapting commercial off-the-shelf software product(s).

The team concluded their study to evaluate options and alternatives to the PAID systemand recommended to Department officials that VA acquire and customize a maturesoftware system available in the commercial marketplace. The Assistant Secretary forFinance and Information Resources Management (currently the Assistant Secretary forManagement) and the Assistant Secretary for Human Resources and Administrationaccepted that recommendation and attempted to secure budgetary support for the project,called PAY-VA.

In 1994, new senior management within the Office of Financial Management began toassume responsibility for the project in anticipation of Fiscal Year (FY) 1995 funding andinitiated actions to acquire a Human Resource/Payroll Commercially-Off-The Shelf(COTS) product. The initial project funding was not appropriated until FY 1995. ACOTS HR/payroll software product was purchased in September 1995 for approximately$6 million. Expert systems software such as interactive voice response, positionclassification and resume processing has also been purchased for approximately$650,000. In addition, the Department has awarded a contract to its COTS vendor valuedat approximately $9.3 for support services, maintenance, and additional products whichcan support the customization and deployment of the new system through the year 2001.

Hardware to support the new system has been estimated at $12 million. The minimumclient platform for the PAY-VA users is a Pentium-based PC with 16 Mbytes of RAM, 1Gbyte of disk storage, 1.44 Mbyte floppy disk drive, CD-ROM, and a 32-bit PCI Ethernetnetwork interface card for accessing the field station LAN. The COTS product willeventually replace the Department’s current PAID, On Line Data Entry, and ElectronicTime and Attendance systems.

The PAY-VA team is comprised of a core PAY-VA team averaging approximately 15 fulltime VACO members, augmented by approximately 5-10 full time Austin AutomationCenter team members, and 20-30 field station team members and various subject matterexpert working as needed. The Department’s HR/Payroll subject matter experts areparticipating on an as needed basis. In addition, approximately 10-15 full time staff fromindependent contractors are supporting this project initiative. Subteams were formedwith a mix of varied resources to address specific tasks as needed.

APPENDIX II

20

PAY-VA Plans for Phased Deployment

The PAY-VA initiative is expected to replace the current PAID system by incorporatingcommercial off-the-shelf software with client server and cooperative processingtechnologies. The PAY-VA project team is working to capitalize on the features ofcommercial software, streamline current procedures, and improve business practices andprocesses. It is expected to result in an integrated system with full range of capabilitiesand features required to support VA’s functional requirements for human resourceadministration, payroll, benefits administration, and management reporting.

The new system has a contract life equal to 10 years. The initial 5 years provides forobtaining the necessary software development support services and includes a 4-yearphased deployment. The remaining 5 years provides for future product maintenancereleases, upgrades, and software development support. The Department has takendelivery on the initial human resource and benefits software and anticipates delivery oftwo additional software modules which are expected to provide payroll and time andlabor system functionality by July 1997.

Project Schedule and Major Milestones

The milestones (i.e. completion dates and/or primary period of performance) for PAY-VA are identified in the chart below. The commercial releases for the payroll and timeand labor Federal products which the Department has purchased were still underdevelopment at the time of this evaluation. Project plans identify the following keymilestones for each product release identified relating to the four basic software modulespurchased as part of the COTS HR/Payroll integrated package.

Item/Activity COTSProduct

FederalizedCOTS (HR)

FederalizedCOTS

(Benefits)

FederalizedCOTS

(Payroll)Delivery 10/95 4/96 10/96 8/97Training Start 10/95 12/96 2/97 10/97Design, VA uniquecustomizations

10/96-2/97

10/96-6/97

8/97-12/97

Customization(s) 2/97 7/97 10/97Pilot(s) Start Date 4/97 7/97 10/97Deployment 1998-1999 1998-1999 1998-1999Maintenance &Enhancements

2000 2000 2000

APPENDIX II

21

System Life-Cycle Cost and Benefit Projections

Projections as of June 1996 show that the life-cycle costs for PAY-VA are estimated atapproximately $115 million. The single site Shared Service Center (SSC) increases theprojected life cycle cost approximately $50 million. The projected life cycle benefits ofthe new system were estimated at about $65 million and are now expected to increase toapproximately $205 million with the establishment of the SSC. The significant increasein life cycle benefits are primarily attributable to staffing reductions which can beachieved by consolidation of support services, eliminating redundant service delivery, andfully leveraging technology.

APPENDIX III

22

IMPLEMENTATION OF A SHARED SERVICE CENTER

As part of this major PAY-VA initiative, significant efforts were made by the PAY-VAproject team to examine existing HR/Payroll business processes, apply lessons learned“best practices” of leading organizations, and to streamline the Department’s futurebusiness environment. As a result of the Department’s efforts to ensure HR/Payrollsupport is delivered effectively, the PAY-VA reengineering team4 examined howHR/Payroll support was being delivered in environments external to the Department,analyzing a cross section of private industry, Federal, and state governmentsorganizations. The team recommended the Department implement a new Shared ServiceCenter (SSC) as VA’s new HR/Payroll service delivery mechanism. The establishment ofa single HR/Payroll SSC was approved by the Secretary of Veterans Affairs in July 1996.

The initial project for the SSC staffing level is estimated at approximately 350 Full TimeEquivalent Employees. Establishing the SSC will require direct investment costs ofapproximately $29 million. The investment costs include such items as building lease,communications, staff relocation, and training. PAY-VA officials project that the SSCcan be ready for operational prototyping by January 1997, and that Department-widedeployment would begin around July 1997, with phased implementation to be completedby the end of FY 1999.

The majority of HR/Payroll transactional and informational activities for the entire VAwill be consolidated at a single site in order to:

• Provide “tiered” services (three increasing levels of expertise).• Consolidate support services and eliminate redundant service delivery.• Concentrate functional and technical expertise.• Facilitate and enable employees to effect certain personnel transactions that have

previously required processing by HR and other office administrative personnel.

4 The reengineering team consists of a diverse, multidisciplinary representation of VHA, VBA, VACO and other support organization staff involved inthe HR/Payroll and information resources management activities. The team identified the mission and critical success factors for HR/Payroll,performance measures, business issues, and recommendations for the design team.

APPENDIX IV

23

COTS SOFTWARE COMPONENTS PURCHASEDBY THE DEPARTMENT

The Department has purchased four primary software modules, including humanresources, benefits administration, time and labor, and payroll. The components of thesemodules include the following:

Human Resource Module

Action Requests The Actions Request component will provide employees, supervisors andmanagers the ability to request specific actions be taken upon their or asubordinate’s request. This module will include action requests such as theStandard Form (SF) 52 Personnel Actions, awards request, health benefitchanges, and life insurance requests.

Career Planning The career planning component provides a comprehensive approach tomanaging employee career planning. Within the career plan, the positionpath, ranking and potential, goals, mentoring, strength, development areas,associated training plan, and development plan are provided. Additionally, aninventory of employee skills is available for review and modification.

General Tables General tables affect all modules. Examples would include location table,locality rate table, paygroup table, department tables, installation tables, andagency tables.

Health and Safety The Health and Safety component provides for the tracking and managementof injury/worker’s compensation management. Within this component,incidents and associated information are tracked. This provides managementwith injury and illness costs as well as source information. A comprehensiveclaims management panel (i.e., system menu or screen) group is provided.Tracking of required examinations is also available.

PerformanceManagement

The performance management component provides for comprehensiveemployee evaluation. This component includes appraisals, performancestandards, and numerous reports/summary panels which identify the appraisalrating breakout and reporting.

PersonnelAdministration

The personnel administration component will contain the basic employment,personnel, and employee history for each employee. This component will alsoinclude basic employee data, such as education, work experience, adverseactions, testing, and employee photo.

PersonnelAdministration Tables

The personnel administration tables component contains tables of informationwhich are unique to the personnel administration component. Examples oftables which are covered are nature of action codes, legal authority codes, andbargaining unit.

APPENDIX IV

24

Human Resource Module (Continued)

Position Management Position management focuses on two primary areas: positions and positiondescriptions. The position description panel group provides for the entry ofkey position description data; such as grade, pay plan, occupational series,supervisory level, and position description. The position panel groupsprovides for tracking individual positions which support one or moreemployees. This component also provides for position history and budgetcontrol.

Recruitment The recruitment component tracks both applicants and vacancies. Underapplicant tracking, the applicants prior work experience, skills, andreasonable accommodation requirements are tracked; as well as, anypositions for which the applicant would like to be considered. Also includedare applicant checklists and any activity that has occurred on the applicant(e.g., jobs considered, status, when considered, etc.). This component alsoincludes vacancy announcement processing, which includes supporting thecreation and maintenance of vacancy announcements, associated expenses,and search capabilities. Search capabilities provide for job ranking andidentification of skills; education and experience for employees, applicants,and candidates.

Regulatory Compliance Provides for the tracking and reporting of reasonable accommodations andfor affirmative action plans, adverse actions, equal employment, veterans,and work force analysis.

Salary Administration This component includes salary planning, salary budget and approval, salarymatrix and merit increase, salary grade and step tables, and mass salaryincreases.

Skills Inventory The skills inventory component provides for skills tracking by employee.This component also provides tracking of tests, languages, licenses,certificates, memberships, honors, special projects, and training completed.

Succession Planning The succession planning component provides management with the ability tofill key positions by using succession plans to identify potential successors.Managers can also perform on-line searches for other qualified candidates,both current employees and external applicants. Succession planning canalso help identify leadership gaps, anticipate staffing requirements, and builda pool of highly qualified employees.

Training Administration This component provides for the tracking and maintenance of employeetraining information and training plans (i.e. Individual Training Plans). Themodule provides for internal course and session management and supportsall key/critical components such as vendor, facility, cost, and materialstracking. This component also supports the administration and tracking ofnon employees and provides for comprehensive training administration.

Employee and LaborRelations

This component focuses on the ability to track and report against disciplinaryactions, grievances, and union activity. The disciplinary actions componentprovides the mechanism to track and report against each stage of thedisciplinary process. It also provides a comprehensive grievance trackingpanel group which addresses the grievance from the initial report toconclusion and final resolution. Union activity is tracked to ensure unionparticipation is recognized and managed properly.

APPENDIX IV

25

Benefits Administration Module

Benefits This component provides for the definition of the benefits plans. As part ofthe benefits plan definitions, are rules based processing and rate scheduleswhich are defined solely from on-line processing capabilities. Within thiscomponent, all leave plans (sick, holiday, annual, etc.) are also defined withtheir associated rules and accrual rates. The benefits component also providesfor provider identification and reporting.

Benefits Administration This component is an extension of basic benefits which adds the capabilitiesfor mass enrollment and interactive voice response interface.

Payroll Module

Employee Payroll Data This component addresses all employee based information associated withpayroll. The module leverages the integrated design to only require input ofpayroll specific information, while using the HR based information to controlchanges to salary, positions, etc. Employee payroll data includes additionalpay, direct deposit, tax elections, garnishments, deductions, payroll specificinformation, and savings bonds elections. It has on-line balances andaccumulators for deductions, garnishments, savings bonds, etc. to include W-2information.

General LedgerInterface

This interface is provided with the system and can be customized using SQR,the tool used to write the interface. The account structure and summaries canbe controlled within the interface. The general ledger interface is, in essence,a standard report that extracts data from the database and formats it into aformat acceptable to a general ledger system.

Pay Process Tables Contains all of the standard tables which support payroll processing. TheCOTS vendor provides and maintains many of these tables, to include federal,state, and local tax tables, federal and state garnishment rules, earnings anddeductions plans, and deduction priorities.

Payroll Reporting The COTS product delivers a comprehensive set of standard tax and payrollreports. These reports include a tax deposit summary, quarterly state reportsin paper and magnetic tape, local tax reports, and W-2 reporting. Additionalreports include retroactive pay, employee earnings, and leave accruals.

Paysheets The paysheets component provides for time entry of employee hours. Forthose employees’s who are full time salaried or hourly, hours areautomatically posted, to provide for exception based entry. Paysheets providefor the entry of additional earnings and payroll messages. Paysheets providefor direct deposit processing, pay calculation, the pay calendar, payconfirmation, and actual paycheck creation.

APPENDIX IV

26

Time and Labor Module

Time and Labor This module will facilitate the recording of any required information by anorganization that can be attributed to an employee and expressed in hours.The time and labor module addresses scheduling, time collection,compensation, attendance, distribution and costing, payroll interface, andlabor distribution. Its design is based upon both exception and paperlessprocessing techniques.

Other Development Tools

The COTS purchase also includes a rapid development tool kit which the COTS vendorused to design and build its product. The capabilities of these tools are provided throughpull-down menus and explicit prompts.

Expert Systems Purchased by the Department

The Department is also in the process of acquiring additional system capabilities tofacilitate the efficient delivery of HR/Payroll services. These technologies are referred toas expert systems, and include the following:

Automated ResumeProcessing

This technology will enable resumes to be scanned or faxed into a system andprocessed by optical recognition software. Text files are created, checked forerrors and stored in an indexed text-retrieval database. High volumes ofresumes can be searched by word or phrase with matching of candidates topositions. This technology can facilitate the recruitment and staffingprocesses.

Automated ClassificationProcessing

This technology integrates position description, performance plan, trainingrequirements, and knowledge skills and abilities for classifying duties andresponsibilities. It enables electronic position classification via artificialintelligence and removes many of the manual and paper intensive activitiesassociated with position classification and management.

Interactive VoiceResponse (IVR)

IVR enables the distribution, gathering and processing of information throughhome or business touch tone phones. The system can answer calls throughone or more 800 numbers and guide callers through a structured HR, benefits,and payroll information exchange process.

KIOSKs Provide an alternative user interface for accessing the main COTS application.The KIOSK will provide access to many of the same self service options as theIVR and those available through a desktop computer. KIOSKs can be placedin high traffic assessable locations at each field station and in VACO. It willconsist of a 20-inch display with touch-screen technology that walks anemployee through the self service options.

APPENDIX V

27

KEY PAY-VA SYSTEM SECURITY CONSIDERATIONS

Security Focus Areas

The evaluation found that the PAY-VA project team was in the initial stage of preparing asecurity plan and initiating a risk assessment5. The PAY-VA project managers recognizethat system security6 measures are critical to maintaining good internal controls for thissystem. The system needs to assure that appropriate electronic access controls are inplace so that unauthorized individuals do not gain access to sensitive or privacyinformation maintained and have the opportunity to manipulate or improperly disclose theinformation, causing a significant potential loss to VA. Because payroll is potentially ahighly vulnerable area for fraud, waste, and abuse; the importance of controls can not beoverstated and these controls should be considered as an integral part of all functionswithin the new PAY-VA HR/Payroll system.

Management control processes need to ensure security controls are incorporated into newapplications and significant system modifications. Early review of basic security needsshould be accomplished to identify sensitive information and applications, security, andcontrols. This can help provide managers with a better understanding of the wide varietyof threats, vulnerabilities, and risks so that appropriate security alternatives can beconsidered and implemented.

Computer security certification7 and accreditation8 is a form of quality control that is usedfor applications, such as PAY-VA, with a significant potential for loss. It benefits theDepartment by providing managers with technical information needed to make criticaldecisions and increases an awareness of computer security throughout the organization.The process can help protect against fraud, illegal practices, mission failures,inappropriate disclosure of information, and legal action while it provides addedassurances that a computer application satisfies its defined functional, performance,security, quality, and reliability requirements. Certification and accreditation of the newPAY-VA computer application needs to be accomplished as part of this majorDepartmental initiative.

5 An assessment of the threats to and vulnerabilities of, an automated information system or an installation. The analysis may vary from an informalreview of a microcomputer installation to a formal, fully quantified risk assessment of a large scale computer center. The model framework initiationand definition system development phases require the following documentation: needs statement, feasibility study, risk assessment, cost/benefitanalysis, system decision paper, project and internal audit plans, and functional and data requirements documents.6 The quality exhibited by a computer system or application that embodies its protection against internal failures, human errors, attacks, and naturalcatastrophes that might cause improper disclosure, modification, destruction, or denial of service. Computer security is a relative quality, not anabsolute state to be achieved.7 Certification consists of a technical evaluation of a sensitive application to see how well it meets security requirements.8 Accreditation is the official management authorization for the operation of the application and is based on the certification process as well as othermanagement considerations.

APPENDIX V

28

In general, security plans should incorporate a definition of basic security needs whichidentifies sensitive information and applications, system concepts, and basic securityobjectives. The plan should estimate security related costs, benefits, and identify securityalternatives. It should also contain the establishment of quality assurance mechanisms forensuring security with an appropriate mix of security controls, including contingencyplans. Since each organization faces different risks and unique exposures designing andimplementing security controls into a system such as PAY-VA, normally management isfaced with making decisions regarding a series of choices which balance the level ofprotection needed against the ease of use and cost.

Federal System Development Requirements, Guidance and Policy

Guidelines and requirements which need to be considered in the system developmentprocess include the Privacy Act of 1974 as amended, and the Computer Security Act of1987 which contain provisions requiring agencies to protect the confidentiality andintegrity of the sensitive information that they maintain. Also, Office of Management andBudget (OMB) Circular No. 130, Appendix III, entitled “Security of Federal AutomatedInformation Resources” and Federal Information Processing Standards Publication (FIPS)102, Guideline for Computer Security Certification and Accreditation provide specificguidance addressing security for automated information systems. Department proceduresto address these requirements are included in MP-6, Part I, Chapter 2, revised February24, 1992 entitled “Automated Information System (AIS) Security Policy.”

In addition, the adequacy of controls over computerized data is addressed indirectly bythe Federal Managers Financial Integrity Act (FMFIA) of 1982 and the Chief FinancialOfficers (CFO) Act of 1990. FMFIA requires agency managers to annually evaluate theirinternal control systems and report to the President and Congress any materialweaknesses that could lead to fraud, waste, and abuse in government operations. TheCFO Act requires agency CFOs to develop and maintain financial management systemsthat provide complete, reliable, consistent, and timely information.

A provision of MP-6 Part I, Chapter 2, added a requirement that system development is tobe consistent with the life cycle documentation requirements of the model framework formanagement control over automated information systems issued by OMB in January1988. The model framework provides a methodology that Federal managers can use toensure adequate control over automated systems.

APPENDIX V

29

OMB is responsible for developing information security policies and overseeing agencypractices. OMB Circular A-130 requirements include the following:

• Agencies establish a management control process to assure that appropriateadministrative, physical, and technical safeguards are incorporated into allapplications, and into significant modifications to existing applications.

• Agencies shall define and approve security requirements and specifications prior toacquiring or starting formal development of the applications.

• The results of risk analyses performed should be taken into account when definingand approving security specifications for the applications.

• Other vulnerabilities of the applications, such as telecommunication links, shall alsobe considered in defining security requirements.

APPENDIX VI

30

ASSISTANT SECRETARY FOR MANAGEMENT AND ASSISTANTSECRETARY FOR HUMAN RESOURCES AND ADMINISTRATION

JOINT COMMENTS

Department ofVeterans Affairs MemorandumDate: January 22, 1997

From: Assistant Secretary for Management (004) Assistant Secretary for Human Resources and Administration (006)

Subj: Comments on Evaluation of the Design and Implementation of PAY VA

To: Michael G. Sullivan, Assistant Inspector General for Auditing (52)

1. We appreciate the opportunity to comment on your draft report. Ourcomments are attached.

2. Your early review of the PAY VA project’s design and developmentprocess and the associated recommendations are helpful and will assist usin ensuring that this critical Department initiative is a success.

3. Please feel free to contact Sandra Weisman on (202) 273-9485 if you haveany questions about our reply.

[Signed] [Signed]D. Mark Catlett Eugene A. Brickhouse

Attachment

VA Form 2105Mar 1989

APPENDIX VI

31

EVALUATION OF THE DESIGN AND IMPLEMENTATION OF PAY VA

004/006 Comments

Recommendation 1 - The Assistant Secretary for Management and theAssistant Secretary for Human Resources and Administration shouldcoordinate completion of required actions to ensure that projectdocumentation and workplans are sufficient to identify and support majorchanges affecting the project’s scope, budget, cost, and schedule.

We concur. At the time of your review, the decision on the establishment of thesingle Shared Service Center (SSC) had not yet been approved. In the absence ofthis decision, the PAY VA team was primarily focusing on the replacementPeopleSoft system implementation. When the Secretary approved theestablishment of the SSC in late July, the PAY VA team moved to quicklydevelop an integrated plan for VA’s new HR/payroll delivery system, whichincluded the SSC, the replacement system, and other technology applications.As a result, they have developed a master plan which identifies four prototypephases for the new delivery system and the associated high level target dates fortesting the functionality and applications of each phase. Detailed work planshave been developed for Phase 1 and actions are underway to develop thedetailed work plan for Phase 2. Detailed plans will be developed for each phase.

Since the beginning of this project, the PAY VA team has been required todevelop a tactical plan which identifies high level project scope andmilestones/completion dates. On a monthly basis, the team submits a statusreport on project progress, achievements, and changes in scope or directionagainst the plan. Further, the PAY VA team periodically briefs the AssistantSecretaries for Management and Human Resources and Administration onproject status or as part of key decision points. The PAY VA project is a criticalDepartment initiative which we believe has an appropriate level of managementreview and oversight and with the development of the master plan and thedetailed supporting plans, will help us to ensure project scope, budget, cost andschedule.

APPENDIX VI

32

Recommendation 2 - The Assistant Secretary for Management should takeaction to ensure that PAY VA project costs are identified and accounted forinvolving expenditures under the Department’s Delegation of ProcurementAuthority (DPA) and for in-house system development costs.

We concur. The PAY VA team worked with the Office of Information ResourcesManagement to develop a spreadsheet for tracking DPA costs. That action wascompleted during the course of the OIG review. The PAY VA team is currentlydeveloping a mechanism to track the time and associated payroll costs for thepart time and intermittent field personnel involved on the project. Thatmechanism will be implemented to begin collecting data starting in February1997.

Recommendation 3 - The Assistant Secretary for Management should takeaction to assure that the contract deliverables associated with theDepartment’s COTS vendor contract are sufficiently defined and considerusing cost price analysis techniques to selectively evaluate future deliveryorders.

We concur. The contract is structured as a task-order based, indefinite quantitycontract. The labor categories are priced in a not-to-exceed amount andrepresent the categories of personnel which the VA requires for theseprofessional support services. Although the Contract Officer’s negotiationposition at contract award was limited because only one responsible sourcecould maintain the existing system, the rates were negotiated. Further, althoughmany of the same services were available under the original General ServicesAdministration (GSA) negotiated contract, VA was paying added fees to GSAand did not enjoy a direct contractual relationship with the vendor. With thiscontract, VA totally controls the process through implementation of negotiatedtask orders. Further, the Statement of Work, Section C, clearly defines theservices and products available under this contract. As task orders aredeveloped under this contract, the Contracting Officer will thoroughly assess thescope of work and the types of contractual staff being requested to perform thatwork. This will allow the Contracting Officer to assess the contractor’s price andnegotiate accordingly prior to issuance of each task order. Historical models canalso be applied in evaluating price reasonableness. We believe that these aspectsof the contract and the process for issuing task orders will ensure that the taskorder scope is well defined and VA’s costs are reasonable and appropriate.

APPENDIX VI

33

Recommendation 4 - The Assistant Secretary for Management and theAssistant Secretary for Human Resources and Administration coordinatecompletion of a project security plan to address security controls needed forthe PAY VA system.

We concur. At the time of the OIG review, the project implementation planswere at the preliminary stages and had not sufficiently reached the pointrequiring the development of the new delivery system’s security requirements.A security plan has been developed for Phase 1 of the project implementationplan. This plan will be updated to accommodate security requirements as partof the planning for each of the remaining phases.

The PAY VA project will implement an entirely new HR/payroll deliverysystem which will offer new security challenges with the advent of the SSC andemployee/managerial self servicing. Because of this radically new environment,the PAY VA team contracted with an independent contractor to perform a riskand internal control assessment. The purpose of the assessment was to get anearly assessment of the PAY VA project’s plans for security and internal controlsin compliance with Federal requirements such as A-130, A-123, and A-127. Theassessment was completed in December and the final report will be distributedin January 1997. This early assessment will ensure that all security aspects areidentified as we move to implement the new delivery system.

Recommendation 5 - The Assistant Secretary for Management should takeaction to ensure that previously identified material weaknesses and internalcontrol vulnerabilities in the PAID system are addressed by the PAY VAsystem.

We concur. We will review prior management reviews and reports on thelegacy system (PAID) and document how the PAY VA solution will resolvethese identified weaknesses. We plan to complete that assessment by March 30,1997.

APPENDIX VI

34

Recommendation 6 - The Assistant Secretary for Management should takeaction to ensure that appropriate training in auditing client server solutions isprovided to the SIS staff who are tasked with testing, acceptance, andcertification of PAY VA software.

We concur. At the time of this review, the PAY VA team was just beginningwork to define an appropriate testing strategy and approach for the newdelivery system. At that time, the SIS staff expressed their concerns since theproject was relying heavily on commercial software and a new client serverenvironment as compared to VA’s and the SIS staff’s current mainframe systemfocus. Since that time, a testing strategy for the entire new delivery system hasbeen developed which addresses the various testing cycles and roles andresponsibilities for thosewho will participate in the testing. The SIS staff helpeddevelop the approach and are comfortable with it and their defined roles andresponsibilities. further, a member of the SIS participating in the PAY VAtesting has also attended a class on auditing client server applications. Withthese actions, we believe that the SIS staff are prepared and have appropriateexperience, knowledge, and comfort to participate in the testing and ensure thatthe new system meets system and customer requirements.

Recommendation 7 - The Assistant Secretary for Management should take thefollowing actions to enhance the function of the Contracting Officer’sTechnical Representative by: providing formal training related to roles andresponsibilities of this position and taking necessary actions to ensure futurepurchase orders are not split.

Though our review of the COTR’s actions do not confirm a purposeful splittingof orders, we do concur that he should receive appropriate training to ensurethat he is knowledgeable of the federal procurement rules and requirements ofhis position. That training is scheduled for the week of February 24, 1997.

APPENDIX VII

35

FINAL REPORT DISTRIBUTION

VA DistributionSecretary of Veterans Affairs (00)Under Secretary for Health (105E)Acting Under Secretary for Benefits (20A11)Director, National Cemetery System (40)General Counsel (02)Assistant Secretary for Management (004)Assistant Secretary for Human Resources and Administration (006)Assistant Secretary for Policy and Planning (008)Assistant Secretary for Congressional Affairs (009)Deputy Assistant Secretary for Public Affairs (80)Deputy Assistant Secretary for Congressional Affairs (60)Deputy Assistant Secretary for Information Resources Management (045)Network Directors, VISN 1-22Associate Deputy Assistant Secretary, Office of Financial Systems (047E)Director, Human Resources Planning & Organizational Effectiveness (05C)Director, Austin Automation Center (200/00)Director, Austin Finance Center (104/00)PAY-VA Co Managers (047E2/047E2A)

Non-VA DistributionOffice of Management and BudgetU.S. General Accounting OfficeCongressional Committees:

Chairman, Senate Committee on Governmental AffairsRanking Member, Senate Committee on Governmental AffairsChairman, Senate Committee on Veterans' AffairsRanking Member, Senate Committee on Veterans' AffairsChairman, House Committee on Government Reform and OversightRanking Member, House Committee on Government Reform and OversightChairman, House Committee on Veterans' AffairsRanking Democratic Member, House Committee on Veterans' AffairsChairman, Senate Subcommittee on VA, HUD, and Independent Agencies,

Committee on AppropriationsRanking Member, Senate Subcommittee on VA, HUD, and Independent Agencies,

Committee on AppropriationsChairman, House Subcommittee on VA, HUD, and Independent Agencies,

Committee on AppropriationsRanking Member, House Subcommittee on VA, HUD, and Independent Agencies,

Committee on Appropriations

Documents

EVALUATION OF THE DESIGN AND IMPLEMENTATION OF PAY-VA